Currently traffic should be allowed between bridge1 and vlan10 (either side can establish new connection) because there is an implicit "accept" at the end of the built-in forward chain. for at least the the input and forward chains, anything not matching a rule that matches will be accepted (allowed). @anav will tell you how to change that to drop by default by adding a new "block all else" rule at the end. Then you will have to explicitly allow all routed traffic, including the inter-vlan traffic.
Currently vlan10 should not be able to reach the router, so you may want to temporarily add vlan10 to the LAN list. But I think dhcp will work even if not allowed, because it operates at raw socket layer (see BOOTP/DHCP bypasses NAT firewall)
After we are sure the underlying connection is working, then the firewall can be adjusted to implement the "one way" connection.
ok, at this point, if you plug a PC into one of ports 25-48 of the external switch, is it getting an ip address from the dhcp_pool10 ranges=10.0.10.100-10.0.10.254? First lease will probably be 10.0.10.254.
If not, then the switch1 config may be incorrect.
If that works, are you able to communicate with a device connected to the lower ports with an address from dhcp_pool1? If it does not work, then verify that there isn't a host based firewall (e.g. windows firewall by default blocks traffic from "foreign" networks, where foreign means "not connected route" that must use the default gateway) on the device in 10.0.0.0/24, because the current firewall on the CCR2216 isn't currently blocking traffic between any non-WAN interfaces. see Firewall - RouterOS - MikroTik Documentation and Firewall Rule Concept